Where a business uses only one Local Area Network (LAN) to interconnect computers within the business structure, security is not an overly significant concern. The Information Technology specialist might be concerned with the potential for attacks coming from external networks (such as the Internet and other larger networks to which the business LAN is connected) and employees potentially bringing viruses onto computers by e-mail or disk. But typically, the IT specialist does not have to worry about legitimate business traffic crossing the boundary between the LAN and external networks. The IT specialist may implement simple rules in a firewall to protect the LAN from attack, because employees are not likely to access external services in the name of business too often.
All of this changes when the business grows sufficiently to justify two or more disparate LANs connected via a Wide Area Network (WAN), where one of the LANs is a highly secure network, but the other LAN is less secure. Now, legitimate work-related traffic may be crossing the boundary between the LANs. For example, the highly secure LAN may host a service, which may be used by computers in the less secure LAN.
For example, consider the situation shown in FIG. 1. FIG. 1 shows two local area networks (LAN) 105 and 110. LAN 105, as a highly secure LAN, is protected by firewall 115. Both LANs are connected to WAN 120 (LAN 105 via firewall 115).
Now, suppose that computer 125 on LAN 110 attempts to access services offered by host 130, on LAN 105. Because the communication originates outside LAN 105, firewall 115 must be configured to allow the communication to reach host 130. Currently, configuring the firewalls is a complicated process, requiring manual analysis of traffic, trial-and-error configuration, and lengthy implementation times.
Embodiments of the invention address these problems and others in the art.